Prohibiting an IP range from going out to the Internet in Red Hat/CentOS Linux

Your interface specification in the iptables rule is backward.

You specified:

iptables -A OUTPUT -i eth0 -p tcp -d 192.168.0.0/16 -j REJECT

Using -i matches traffic that enters the system on the named interface.

Instead, you want to match traffic leaving the system on the named interface, which is done with -o.

iptables -A OUTPUT -o eth0 -p tcp -d 192.168.0.0/16 -j REJECT

(And you probably don't want -p tcp in there, otherwise non-TCP traffic might pass.)

In addition to Michael's answer, I think one should block the traffic in the FORWARD chain, since the OUTPUT chain applies only to locally generated packets and going out from the firewall. As far as I know, it doesn't apply to routed packets.

You've already got the answer you needed to do it with iptables.

If you want to do it with routes, a good way is to have a route for 192.168.0.0/16 and have your vpn server send you two routes that are a bit more specific, in your case the two routes would be 192.168.0.0/17 and 192.168.128.0/17

The /16 route would be fixed and null-routed:

ip route add blackhole 192.168.0.0/16

And your vpn server (or vpn-up script) would provide you with the others:

ip route add 192.168.0.0/17 via <VPNGW>
ip route add 192.168.128.0/17 via <VPNGW>

This is actually what the def1 option in OpenVPN does to override the default gateway without messing with existing routes.